speakerNEW!iShredder™ Business for iOS and Android are now available for Enterprise users.Learn more

AppCloud & Aura: How Invasive Bloatware Spies on Samsung Users in WANA

AppCloud & Aura: How Invasive Bloatware Spies on Samsung Users in WANA
November 18, 2025

Imagine this: You buy a new Samsung smartphone, set it up, and somewhere deep in the system an app called AppCloud is running. You never knowingly installed it, you can’t uninstall it like a normal app, and yet it’s collecting data about you.

That’s exactly what is currently happening millions of times over in West Asia and North Africa (WANA). Research by the digital-rights organization SMEX shows that on many Samsung devices in the region, an Israeli‑founded piece of bloatware called AppCloud comes preinstalled and collects user data without transparent information for users and without a straightforward way to object.

So what exactly is AppCloud?

AppCloud is a preinstalled system component on many Samsung Galaxy A‑ and M‑series devices in the WANA region. According to SMEX, it ends up on devices through an expanded partnership between Samsung MENA and the Israeli‑founded company ironSource (now part of Unity).

Particularly problematic:

AppCloud runs deep in the system and behaves more like a system service than a regular app.

For regular users, completely removing it is practically impossible without root access—which risks voiding the warranty and causing security issues.

The app installs or controls another service called Aura, which can push additional apps and recommendations onto your device—including personalized ads.

SMEX and other sources criticize that the privacy policy is hard to find, that there is no clear opt‑out option, and that sensitive data such as IP address, device fingerprints, and in some cases biometric information is processed.

In short: AppCloud is not just a “convenience service,” but a deeply embedded advertising and tracking system whose origin and behavior are especially sensitive in a politically charged environment.

Why is the WANA region particularly affected?

Several factors make the situation in West Asia and North Africa especially serious:

1. High Samsung market share

In the region, Samsung is the leading smartphone vendor with around a 28% market share, according to market analyses.
If AppCloud is enabled by default on many A‑ and M‑series devices, this affects a significant portion of the population.

2. Legal and geopolitical dimension

In countries such as Lebanon, Israeli companies are legally barred from doing business. Nevertheless, AppCloud comes from an Israeli‑founded company that now belongs to a US corporation.

3. Opaque data collection

SMEX accuses AppCloud of operating without informed consent, collecting sensitive data, and failing to offer a clear opt‑out. This may constitute a violation of data‑protection rights in several countries across the region.
In an open complaint to Samsung, SMEX is therefore calling for transparency about AppCloud, simple opt‑out mechanisms, and an end to forced installation on devices in WANA.

Technical IOCs for AppCloud / AppCloud‑OOBE and Aura

Note:
The following hash values and certificate data relate to officially signed AppCloud/Aura builds and related components (bloatware / ad‑tech). Mainstream AV engines generally do not classify them as classic malware, but as preinstalled advertising or tracking software or potentially unwanted software.
We list them here as Indicators of Compromise (IOCs) in the sense of “this component is present,” not as “virus hashes.”

1. File hashes for AppCloud / AppCloud‑OOBE

1.1 AppCloud – package com.ironsource.appcloud.oobe (Sprint / generic OOBE versions)

The following hashes belong to known, officially signed AppCloud‑OOBE builds, such as those provided via APKMirror for Sprint devices. They are not infections, but reference values that you can use to recognize AppCloud variants in your own analyses.

Variant 1 – AppCloud 6.3.29.0 (Android 7.0+, Sprint build)
Source: APKMirror, package com.ironsource.appcloud.oobe.

  • SHA‑256: 53f4cc60049251f5ad966d55f0e1eea799452fba8995a8b7319614f593570cfd

APKMirror also shows the certificate fingerprint for the Sprint signature (not the ironSource signature):

  • Cert SHA‑256: 27f96dbab77b31f6953e4cd2c2defe15f5d7c78f073dd7162018ef476b097c34

Variant 2 – AppCloud 3.8.8.4.3 (older Sprint build)
Also from APKMirror, package com.ironsource.appcloud.oobe.

  • SHA‑256: dcbbac7e05f332a6288f65934fc5f4ee189e41f0db89bcedb86f52cd16a0703f

Here, too, the same Sprint certificate fingerprint is used.

Assessment:
These hashes are useful reference values if you want to search your own APK collections or log data for classic AppCloud‑OOBE builds. They are not Samsung‑specific, however, but typical carrier/OEM variants.

1.2 AppCloud – package com.aura.oobe.samsung.gl (Samsung variant)

For the Samsung variant with the package name com.aura.oobe.samsung.gl, which is particularly relevant in the WANA context, there is currently no reliable, publicly maintained hash list.

For the specific WANA system builds of com.aura.oobe.samsung.gl, no trustworthy, publicly documented SHA‑256 hashes exist at this time. For IOC purposes, it’s therefore better to rely on:

Package names (com.aura.oobe.samsung.gl, com.aura.oobe.samsung),
Certificate fingerprints (see section 2),
And network IOCs (see section 3),

rather than depending on individual file hashes.

1.3 Additional ironSource/AppCloud ecosystem hashes

There are other variants in the AppCloud/Aura ecosystem that come preinstalled on devices from other manufacturers or carriers. These are not the direct Samsung/WANA builds, but can clearly be assigned to the same ecosystem and are useful for clustering:

vrChannel 2.4.7.1 – package com.ironsource.appcloud.store.lg.vr (LG/VR variant)
Source: APKPure.

  • File SHA‑1: 4b77673f031749feaef5026dfd15025800aa650d
    Signature (certificate SHA‑1): 01d845b26b688d8ef647205a5944e9407e52e06e

Airtel Store, Uganda 1.5.1 – package com.ironsource.appcloud.appstore.airtelug (carrier variant)
Source: APKPure.

  • File SHA‑1: e4be20c769d0a89e3e477a3bf9221eddc85ee33f
    Signature (certificate SHA‑1): 7ff152f5eaca441d32542d3588bbe08b2a6bfc3b

Assessment:
These hashes are useful if you want to analyze or categorize the entire AppCloud/Aura ecosystem (for example for telemetry, clustering, or threat intelligence). For concrete Samsung/WANA detection, however, they are more “nice to have” than core IOCs.

2. Certificate fingerprints for ironSource/AppCloud

Certificate fingerprints are often more stable than individual file hashes, as long as the vendor does not resign the apps. For AppCloud builds signed with an ironSource certificate, APKMirror shows, among other things, the following data:

Organization (O): ironSource Ltd.
Cert SHA‑256: 04671dd36b2be531a6c1869422bb8944a76e646ac5824f864e530910c00b41c7

This fingerprint appears, for example, in AppCloud versions like 6.3.17.3 or 8.1.11.0 that were signed directly by ironSource.

Practical use:
If you analyze APKs automatically (internal scanners, CI/CD, firmware audits), you can flag every app signed with this certificate as an “ironSource/AppCloud candidate”—regardless of the exact hash. Combined with package names and domains, this makes it much easier to detect a substantial portion of the AppCloud ecosystem.

3. Network IOCs (for Suricata, pf, DNS filtering, etc.)

From an infrastructure perspective, network indicators are often more robust than individual file hashes, because binaries can change with every update, while backend domains often remain stable for years.

Important domains in the AppCloud/Aura environment include, for example:

assetscdn.isappcloud.com – CDN for AppCloud assets; listed as “suspicious/malicious” in several sandbox reports and reputation databases, in part because EXE files with low AV detection rates were delivered from there.

persy.isappcloud.com – appears, for example, in ImmuniWeb tests of com.aura.oobe.samsung.gl as an external communication endpoint.

Additional domains that appear in provider and community threads in the AppCloud context, such as:

  • ape-androids2.isappcloud.com
  • ape-eu.isappcloud.com
  • ib.isappcloud.com
  • user-profile.isappcloud.com

Step by step: How to find and get rid of AppCloud

Even without root access, there’s a lot you can do to detect AppCloud and limit its impact. The following is a compact guide based on recommendations from SMEX, independent developers, and community how‑tos.

1. Detecting it via system settings

On many devices, you can find AppCloud directly in the settings:

Open Settings → Apps.

Enable the option Show system apps (if available).

Search for “AppCloud,” or scroll through the list and look for names like AppCloud, Aura, or provider‑branded variants.

Tap the entry and, if needed, note the package name (for example com.aura.oobe.samsung).

If you see that the app has many permissions and can’t be uninstalled like a normal app, that’s a strong indication that you’re dealing with the bloatware in question.

2. Disabling it and limiting data flow

Even if AppCloud often can’t be fully removed, you can limit the damage:

Open Settings → Apps → AppCloud.

Choose Force stop to stop the running instance.

If possible, set the app to Disable so it no longer runs in the foreground.

In the Galaxy Store or the app settings, check whether you can disable background data and automatic app installation. Many users report that this significantly reduces how much additional bloatware gets installed.

Important: After major system updates, you should check whether AppCloud has been re‑enabled—some users report that the app reappears after updates.

3. Full removal with ADB (advanced users only!)

If you’re technically experienced and willing to accept some risk, you can remove AppCloud from your user account with the help of the Android Debug Bridge (ADB).

The basic process:

Install ADB on your computer (Android Platform Tools).

Enable Developer options and USB debugging on your smartphone.

Connect the device via USB and authorize the ADB connection.

Run the ADB shell command in a terminal/PowerShell window on your PC, for example:

  • adb shell pm uninstall -k --user 0 com.aura.oobe.samsung

This command removes the package for your user account.

Depending on the device/region, you might need to use a different package name (see IOCs above).

Important note:
This kind of intervention is for advanced users. Incorrect ADB commands can cause unstable behavior, and in some cases manufacturers may claim that the warranty is void if unwanted changes are made to the system. When in doubt, make a full backup first and read up thoroughly on the subject.

Technical protection with Anti Spy & Antivirus AI

Even if you can’t completely get rid of AppCloud, the right tools can make your device much more resilient—especially against spyware, stalkerware, and aggressive adware components.

Anti Spy: Focus on surveillance and stalkerware

Anti Spy is a specialized anti‑spyware solution for Android. The app has been tested by the independent lab AV‑TEST and rated with a very high detection rate for Android malware; in addition, Anti Spy is the first and so far only anti‑spyware app to receive a DEKRA MASA L1 certification.

In practice, that means for you:

Anti Spy analyzes installed apps and processes not only using classic signatures, but also with an AI‑powered dual scanner to detect suspicious behavior—such as hidden spy apps, stalkerware, or trackers that quietly run in the background with sensitive permissions.

The app is designed to raise alerts even for system or manufacturer apps if they behave like surveillance software—regardless of whether they are visible in the app drawer or not.

According to a recent analysis by Exodus Privacy, the latest published analyzed version (6.7.3) of Anti Spy includes 0 trackers, which independently confirms that there are no hidden advertising or analytics libraries bundled with it.

Especially in scenarios like AppCloud/Aura, this is crucial: You get a second opinion on whether apps on your device behave like surveillance or spy software—even when they are shipped as “system components.”

Antivirus AI: AI‑based malware protection against adware & more

Antivirus AI is the ideal complement to Anti Spy: its focus is on classic malware, ransomware, trojans, and aggressive adware—powered by an AI engine that constantly learns and dynamically adapts its detection rules (“AI Life Rules”).

Some aspects that are relevant in the AppCloud context:

Antivirus AI has been certified multiple times by AV‑TEST and reached detection rates well above 99% in internal and external tests, drastically reducing the risk of threats going undetected.

The AI engine also analyzes apps that are not formally classified as “malware” but fall into a gray area due to suspicious network or tracking activity—precisely the category many bloatware and ad‑tech components fall into.

According to recent reports from Exodus Privacy, there are different versions of Antivirus AI: an earlier version (2.1.2) still included one tracker, while the newer analyzed version 2.2.2 is listed with 0 trackers. This shows that Protectstar has actively reduced tracking.

Together, Anti Spy and Antivirus AI create a protective shield that goes well beyond a classic “virus scanner”: you gain visibility into which apps are installed on your device, how they behave—and you can clean things up in a targeted way.

The AppCloud case is a textbook example of what happens when monetization is prioritized over privacy. Manufacturers and ad‑tech companies make deals in the background, and in the end software runs on your smartphone that you know nothing about—yet it has extensive permissions.

Protectstar consciously chooses the opposite approach:

The Android apps Anti Spy and Antivirus AI focus on protection instead of data collection.

Certifications by independent labs like AV‑TEST and DEKRA underline that the products are not only effective but also transparent.

Independent analyses—especially by Exodus Privacy—show that Protectstar designs its apps so that no hidden tracking SDKs are embedded, or that such components are systematically removed.

Especially in regions where there is already an elevated risk of surveillance for political and legal reasons, this is a strong counter‑model to “invisible bloatware.”

Conclusion: Your smartphone, your data

The story of AppCloud and Aura shows how quickly your smartphone can become a tool for profiling, advertising, and potentially even surveillance without you ever having actively consented.

Sources & further reading

  1. SMEX – “Invasive Israeli-founded bloatware is harvesting data from Samsung users in WANA”
    URL: https://smex.org/invasive-israeli-software-is-harvesting-data-from-samsung-users-in-wana/
  2. SMEX – “Open Letter to Samsung: End Forced Israeli-Founded Bloatware Installations in the WANA Region”
    URL: https://smex.org/open-letter-to-samsung-end-forced-israeli-app-installations-in-the-wana-region/
  3. Al-Estiklal – “Samsung’s ‘Aura’: Israeli Spyware in Your Pocket”
    URL: https://www.alestiklal.net/en/article/samsung-s-aura-israeli-spyware-in-your-pocket
  4. Athul Krishnan (Medium) – “Bloatware and Samsung, How to get rid of them for good”
    URL: https://athul-kris.medium.com/bloatware-and-samsung-how-to-get-rid-of-them-for-good-775a44c73752
  5. TechFinitive – “What is App Cloud? How do I delete it?”
    URL: https://www.techfinitive.com/explainers/what-is-app-cloud-delete/
  6. Protectstar – product page “Anti Spy Android: Anti Spyware Scanner”
    URL: https://www.protectstar.com/en/products/anti-spy
  7. Protectstar – product page “Antivirus AI for Android”
    URL: https://www.protectstar.com/en/products/antivirus-ai
  8. Protectstar Blog – “Anti Spy: World’s First Antispyware App with Dual Certification” (AV‑TEST & DEKRA)
    URL: https://www.protectstar.com/en/blog/anti-spy-worlds-first-antispyware-app-dual-certification
  9. Protectstar Blog – “Protectstar Antivirus AI Android Celebrates Its Third AV-TEST Triumph”
    URL: https://www.protectstar.com/en/blog/protectstar-antivirus-ai-android-celebrates-its-third-av-test-triumph
  10. AV-TEST – product review Protectstar Anti Spyware 6.0 (Android)
    URL (EN): https://www.av-test.org/en/antivirus/mobile-devices/android/january-2024/protectstar-anti-spyware-6.0-243113/
  11. AV-TEST – product review Protectstar Antivirus AI 2.1 (Android)
    URL (DE): https://www.av-test.org/de/antivirus/mobilgeraete/android/mai-2024/protectstar-antivirus-ai-2.1-243312/
  12. Exodus Privacy – report for “com.protectstar.antispy.android” (Anti Spy, version 6.7.3)
    URL: https://reports.exodus-privacy.eu.org/en/reports/664531/
  13. Exodus Privacy – report for “com.protectstar.antivirus” (Antivirus AI, version 2.2.2)
    URL: https://reports.exodus-privacy.eu.org/it/reports/623115/
  14. Exodus Privacy – project page (general info & app analysis)
    URL: https://exodus-privacy.eu.org/en/
Was this article helpful? Yes No
1 out of 1 people found this article helpful
Cancel Submit

Related articles

AppCloud & Aura: How Invasive Bloatware Spies on Samsung Users in WANA

AppCloud & Aura: How Invasive Bloatware Spies on Samsung Users in WANA

AppCloud & Aura: How Invasive Bloatware Spies on Samsung Users in WANA
Back Go back